web server hardening
DESCRIPTION
Web Server Hardening by Supraja Shankaran @ null Pune Meet, September 2011TRANSCRIPT
![Page 1: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/1.jpg)
Web Server HardeningWeb Server Hardening
Supraja ShankarSymbiosis Institute Of Computer Studeies And
Research
![Page 2: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/2.jpg)
Web serverWeb server● It’s a client – server architecture
● The function of a web server is to service requests made through HTTP protocol.
![Page 3: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/3.jpg)
Main threats to a web serverMain threats to a web server• Profiling• Denial of service• Unauthorized access• Arbitrary code execution• Elevation of privileges• Viruses, worms, and Trojan horses
Source: http://msdn.microsoft.com/en-us/library/ff648653.aspx
![Page 4: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/4.jpg)
ApacheApache
![Page 5: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/5.jpg)
An overviewAn overview
● Apache runs under multitasking operating system.
● httpd for unix and apache.exe for Win● Usually runs in background● Originally named from A PAtCHy in 1991● Open source under Apache License
![Page 6: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/6.jpg)
Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
StructureStructure
![Page 7: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/7.jpg)
Core structureCore structure
Source: http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
![Page 8: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/8.jpg)
Securing ApacheSecuring Apache
![Page 9: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/9.jpg)
Securing apacheSecuring apache● mod_auth● For authorizing content● AuthUserFilefile-path tells the file where
username and password saved.● Passwd can be set by htpasswd command● mod_access● Limits access● Can be whole set of IP’s or narrow down to
ports● Deny/ Allow/ Order
![Page 10: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/10.jpg)
HardeningHardening
Remove default apache filessudorm –fr /opt/apache2/htdocs/*
~>sudorm –fr /opt/apache2/cgi-bin/*
~>sudorm –fr /opt/apache2/icons
Hide the apache version number
ServerSignature Off
ServerTokensProd
Chroot
![Page 11: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/11.jpg)
Hardening From SourceHardening From Source
●userdir – Mapping of requests to user-specific directories. i.e username in URL will get translated to a directory in the server●autoindex – Displays directory listing when no index.html file is present●status – Displays server stats●env – Clearing/setting of ENV vars●setenvif – Placing ENV vars on headers●cgi – CGI scripts●actions – Action triggering on requests●negotiation – Content negotiation●alias – Mapping of requests to different filesystem parts●include – Server Side Includes●filter – Smart filtering of request●version – Handling version information in config files using IfVersion●as-is – as-is filetypes
![Page 12: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/12.jpg)
IIS IIS
![Page 13: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/13.jpg)
What is IIS?What is IIS? ♦ IIS (Internet Information Server) is a group of Internet servers (including a Web or Hypertext Transfer Protocol server and a File Transfer Protocol server) with additional capabilities for Microsoft's Windows NT and Windows 2000 Server operating systems.
♦ IIS is Microsoft's entry to compete in the Internet server market that is also addressed by Apache, Sun Microsystems, O'Reilly, and others.
♦ With IIS, Microsoft includes a set of programs for building and administering Web sites, a search engine, and support for writing Web-based applications that access databases.
♦ Microsoft points out that IIS is tightly integrated with the Windows NT and 2000 Servers in a number of ways, resulting in faster Web page serving.
![Page 14: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/14.jpg)
TOPOLOGYTOPOLOGY
Source: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24016818.html
![Page 15: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/15.jpg)
FEATURESFEATURES
◙ HTTP modules◙ Security modules◙ Content modules◙ Compression modules◙ Caching modules◙ Logging and Diagnostics modules
![Page 16: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/16.jpg)
Vulnerabilities
Microsoft has been criticized for IIS's susceptibility to computer virus attacks such as Code Red and Nimda.
According to Secunia, as of June 2011, IIS 7 had a total of 6 resolved vulnerabilities while IIS 6 had a total of 11 vulnerabilities out of which 1 was still unpatched. The unpatched security advisory has a severity rating of 2 out of 5.
![Page 17: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/17.jpg)
Securing IISSecuring IIS
![Page 18: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/18.jpg)
Hardening DomainsHardening Domains
![Page 19: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/19.jpg)
GENERALGENERAL
• Do not connect an IIS Server to the Internet until it is fully hardened. • Place the server in a physically secure location. • Do not install the IIS server on a domain controller. • Do not install a printer. • Use two network interfaces in the server — one for admin and one for the network. • Install service packs, patches and hot fixes. • Run IISLockdown run on the server. • Install and configure URLScan. • Secure remote administration of the server and configure for encryption,
- low session time-outs - account lockouts.
• Disable unnecessary Windows services. • Ensure services are running with least-privileged accounts.
Continued….
![Page 20: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/20.jpg)
GENERAL (contd..) GENERAL (contd..)
• Disable FTP, SMTP and NNTP services if they are not required. • Disable Telnet service. • Disable ASP.NET state service if not used by your applications. • Disable webDAV if not used by the application, or secure it if it is required. • Do not install Data Access Components unless specifically needed. • Do not install the HTML version of the Internet Services Manager. • Do not install the MS Index Server unless required. • Do not install the MS FrontPage Server extensions unless required. • Harden TCP/IP stack. • Disable NetBIOS and SMB (closing ports 137, 138, 139 and 445). • Reconfigure Recycle Bin and Page file system data policies. • Secure CMOS settings. • Secure physical media (floppy drive, CD-ROM drive and so on).
![Page 21: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/21.jpg)
ACCOUNTSACCOUNTS
• Remove unused accounts from the server. • Disable Windows Guest account. • Rename Administrator account and set a strong password. • Disable IUSR_MACHINE account if it is not used by the application. • Create a custom least-privileged anonymous account if applications require anonymous access. • Do not give the anonymous account write access to Web content directories or allow it to execute command-line tools. • If you host multiple Web applications, configure a separate anonymous user account for each one.
Continued….
![Page 22: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/22.jpg)
ACCOUNTS (contd..)ACCOUNTS (contd..) •Configure ASP.NET process account for least privilege. (This only applies if you are not using the default ASP.NET account, which is a least-privileged account.) • Enforce strong account and password policies for the server. • Restrict remote logons. (The "Access this computer from the network" user-right is removed from the Everyone group.) • Do not share accounts among administrators. • Disable Null sessions (anonymous logons). • Require approval for account delegation. • Do not allow users and administrators to share accounts. • Do not create more than two accounts in the Administrators group. • Require administrators to log on locally or secure the remote administration solution.
![Page 23: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/23.jpg)
FILES AND DIRECTORIES FILES AND DIRECTORIES
• Use multiple disks or partition volumes and do not install the Web server home directory on the same volume as the operating system folders. • Contain files and directories on NTFS volumes. • Put Web site content on a non-system NTFS volume. • Create a new site and disable the default site. • Put log files on a non-system NTFS volume but not on the same volume where the Web site content resides. • Restrict the Everyone group (no access to \WINNT\system32 or Web directories). • Ensure Web site root directory has deny write ACE for anonymous Internet accounts. • Ensure content directories have deny write ACE for anonymous Internet accounts.
![Page 24: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/24.jpg)
FILES AND DIRECTORIES (Contd..)FILES AND DIRECTORIES (Contd..)
•Remove remote IIS administration application (\WINNT\System32\Inetsrv\IISAdmin). • Remove resource kit tools, utilities and SDKs. • Remove sample applications (\WINNT\Help\IISHelp, \Inetpub\IISSamples). • Remove IP address in header for Content-Location.
SHARESSHARES
• Remove all unnecessary shares (including default administration shares). • Restrict access to required shares (the Everyone group does not have access). • Remove Administrative shares (C$ and Admin$) if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
![Page 25: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/25.jpg)
PORTSPORTS
• Restrict Internet-facing interfaces to port 80 (and 443 if SSL is used). • Encrypt Intranet traffic (for example, with SSL), or restrict Internet traffic if you do not have a secure data center infrastructure.
REGISTRYREGISTRY
• Restrict remote registry access. • Secure SAM (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash). This applies only to standalone servers.
![Page 26: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/26.jpg)
AUDITING AND LOGGINGAUDITING AND LOGGING
• Audit failed logon attempts. • Relocate and secure IIS log files. • Configure log files with an appropriate file size depending on the application security requirement. • Regularly archive and analyze log files. • Audit access to the Metabase.bin file. • Configure IIS for W3C Extended log file format auditing. • Read How to use SQL Server to analyze Web logs at support.microsoft.com
![Page 27: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/27.jpg)
SITES AND VIRTUAL DIRECTORIESSITES AND VIRTUAL DIRECTORIES
• Put Web sites on a non-system partition. • Disable "Parent paths" setting. • Remove potentially dangerous virtual directories including IISSamples, IISAdmin, IISHelp and Scripts. • Remove or secure MSADC virtual directory (RDS). • Do not grant included directories Read Web permission. • Restrict Write and Execute Web permissions for anonymous accounts in virtual directories. • Ensure there is script source access only on folders that support content authoring. • Ensure there is write access only on folders that support content authoring and these folders are configured for authentication (and SSL encryption, if required). • Remove FrontPage Server Extensions (FPSE) if not used. If FPSE are used, update and restrict access to them. • Remove the IIS Internet Printing virtual directory.
![Page 28: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/28.jpg)
SCRIPT MAPPINGSCRIPT MAPPING
• Map extensions not used by the application to 404.dll (.idq, .htw, .ida, .shtml, .shtm, .stm, idc, .htr, .printer). • Map unnecessary ASP.NET file type extensions to "HttpForbiddenHandler" in Machine.config.
ISAPI FILTERSISAPI FILTERS
• Remove from the server unnecessary or unused ISAPI filters.
IIS METABASEIIS METABASE
• Restrict access to the metabase by using NTFS permissions (%systemroot%\system32\inetsrv\metabase.bin). • Restrict IIS banner information (Disable IP address in content location).
![Page 29: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/29.jpg)
SERVER CERTIFICATESSERVER CERTIFICATES
• Ensure certificate date ranges are valid. • Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail). • Ensure the certificate's public key is valid, all the way to a trusted root authority. • Confirm that the certificate has not been revoked.
Machine.config Machine.config
• Map protected resources to HttpForbiddenHandler. • Remove unused HttpModules. • Disable tracing.
<trace enable="false"/> • Turn off debug compiles.
<compilation debug="false" explicit="true" defaultLanguage="vb">
![Page 30: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/30.jpg)
referencesreferences
localhost/manual
http://www.voneicken.com/courses/ucsb-cs290i-wi02/papers/Concept_Apache_Arch.htm
http://www.cooperation-iws.org/wiki/index.php/Web_server_architecture
http://security.stackexchange.com/questions/77/apache-server-hardening
http://www.linuxquestions.org/questions/linux-software-2/how-apache-works-with-php-mysql-whatever-85685/ http://docstore.mik.ua/orelly/linux/apache/ch01_01.htm
http://www.devshed.com/c/a/Apache/Apache-and-the-Internet/1/
http://www.symantec.com/connect/articles/securing-apache-step-step
http://www.devdaily.com/unix/edu/UnixSysAdmin/node169.shtmlhttp://www.cooperation-iws.org/wiki/index.php/Web_server_architecture
http://www.opensourcevarsity.com/phpbasics/l4bindingphptoapache
http://searchsecurity.techtarget.com/feature/Windows-IIS-server-hardening-checklist
http://en.wikipedia.org/wiki/Internet_Information_Services
http://searchwindowsserver.techtarget.com/definition/IIS
http://www.microsoft.com/web/platform/server.aspx
http://www.faqs.org/docs/apache-compile/php.html
http://dan.drydog.com/apache2php.html
![Page 31: Web Server Hardening](https://reader031.vdocument.in/reader031/viewer/2022013121/55589d83d8b42a2a738b4bd7/html5/thumbnails/31.jpg)
THANK YOUTHANK YOU
“Security is a not a product, but a process.”
- Bruce Scheiner